@jomo@mstdn.io
@jomo@mstdn.io avatar

jomo

@jomo@mstdn.io

eng/deu | Privacy, Infosec, OSINT, OPSEC, OSM, CTF, Shitposts, Echter Hacker™

Account managed by team; personal posts are signed with /s

This profile is from a federated server and may be incomplete. Browse more on the original instance.

keyboards, to random
@keyboards@mastodon.social avatar
jomo,
@jomo@mstdn.io avatar

[PROBLEM] 👇👇👇👇👇👇

RolandRides, to random German
@RolandRides@mastodon.social avatar

Schuld sind die Radfahrenden, denn sie nerven auf der Fahrradstrasse unschuldige Autofahrende, die dann wiederum Kinder überfahren müssen https://www.tz.de/muenchen/stadt/schulweg-drama-in-muenchen-junge-von-auto-erfasst-93059471.html

jomo,
@jomo@mstdn.io avatar

"Der Autofahrer konnte einen Zusammenstoß mit dem Kind nicht mehr verhindern."

Tja, shit happens. Höhere Gewalt. Kann man wohl nix machen.

Wie mich diese Berichterstattung ankotzt.

Der Autofahrer hätte das Anfahren des Kindes ("Zusammenstoß" lol) durch angepasste Fahrweise verhindern können.

jomo,
@jomo@mstdn.io avatar

Das Auto war also ein Mercedes, das war offenbar relevant für die Berichterstattung. Welcher Marke war der Bus und welche Schuhmarke trug der Junge?

hisham_hm, to random
@hisham_hm@mastodon.social avatar

How spoofable is an email From: field nowadays?

I know that back in the days of POP3 and unencrypted email you could write anything in From: and one would have to cross-check with the other headers to see if the message at least went through the domain in the address.

I believe nowadays big servers like gmail are stricter in the email they accept (to the point of rejecting valid emails, which is super annoying, I know), but is there a standard in check that foo@bar.com comes from bar.com?

jomo,
@jomo@mstdn.io avatar

@kinnison @hisham_hm is the Sender Policy Framework, not "Sender Permitted From" and by design does nothing anything at all with the "From:" header. SPF only concerns the SMTP "MAIL FROM" line, which is not part of the actual email headers and thus is not and cannot be displayed by email clients. This is explicitly mentioned in the security considerations of the RFC: https://www.rfc-editor.org/rfc/rfc7208#section-11.2

1/3

jomo,
@jomo@mstdn.io avatar

@kinnison @hisham_hm does help against spoofing headers such as "From:", and the mail body. It comes with the major caveat (amongst others) that once leaked, you have no way* to plausibly deny authorship of emails. IIRC this has happened with Hillary Clinton's mails on Wikileaks.

*you can regularly rotate your signing keys and publish the old keys, however there does not seem to be a standard way of doing this.

2/3

jomo, (edited )
@jomo@mstdn.io avatar

@kinnison @hisham_hm There's also which instructs servers how to interpret the SPF and DKIM rules. The important part here is called "alignment", where the domain in the "From:" header must match that of the MAIL FROM line and the signer of the DKIM signature. Otherwise SPF/DKIM wouldn't protect against spoofers authenticating themselves. It's noteworthy that Microsoft does not refuse mails as instructed.

tl;dr: it's complicated and email is a mess.

3/3

qbi, to random German
@qbi@freie-re.de avatar

Balls-of-Steel-Award

via https://www.instagram.com/ssagittarrius/p/C52x4jTg4vk/?img_index=2

jomo,
@jomo@mstdn.io avatar

@qbi der verlinkte Account hat das Bild vermutlich auch nur geklaut. Hier ist ein größerer Ausschnitt zu sehen: https://twitter.com/mariamgegu/status/1780334677095559462

Möglicherweise ist das Foto von Mariam Nikuradze, sie hat viele ähnliche Fotos. Leider ist Twitter kaputt und ich kann ihre Posts nicht sehen. https://twitter.com/mari_nikuradze/status/1780301783568400614

jomo, to random German
@jomo@mstdn.io avatar

"Eindeutig" Russland schuld am SPD-Hack. Oder waren es vielleicht doch mangelnde Sicherheitsvorkehrungen? Beinhalten die angekündigten "Konsequenzen" jetzt bessere IT-Security?

mjg59, (edited ) to random
@mjg59@nondeterministic.computer avatar

I'm sure this is general knowledge but anyway: never enable SSH agent forwarding by default if you log into any systems that you don't trust 100%. It gives whoever has root on that system the ability to log into anything else your SSH agent can connect to. Either explicitly pass -A or add host entries to ~/.ssh/ssh_config to enable it for the scenarios you need it.

jomo,
@jomo@mstdn.io avatar

@mjg59 what legitimate use case is there at all for agent forwarding that ProxyJump doesn't cover? I can't remember to ever have used agent forwarding.

jomo,
@jomo@mstdn.io avatar

@mjg59 could you elaborate? I don't see how the middle man is required for that, as ProxyJump allows you to use your local ssh agent, but the connection over the jump host is encrypted. Am I missing something?

jomo, to random
@jomo@mstdn.io avatar

Germany's most prominent TV news show, the Tagesschau, is using OpenStreetMap and Maptiler to render maps in their brand design.

jomo, (edited ) to Youtube
@jomo@mstdn.io avatar

YouTube search results are crap, as you probably know.

TIL you can simply add a dummy filter such as before:2030 to your search query and it will remove all the unrelated clickbait videos.

jomo,
@jomo@mstdn.io avatar

@maikek it's just a search filter that limits your search results to videos that were uploaded before 2030, i.e. all current videos. Apparently applying a search filter removes the clickbait sections, so this applies a filter that doesn't actually filter anything out.

jomo,
@jomo@mstdn.io avatar

@maikek AFAIK yes. I've changed the OP, hope it's easier to understand now

WestphalDenn, to random German
@WestphalDenn@social.cologne avatar

Aufnahmen von Polizeieinsätzen von der DSGVO gedeckt: Kein Film ist illegal
https://www.lto.de/recht/hintergruende/h/filmen-polizei-einsaetze-polizeigewalt-aufnahmen-beweis-video-dsgvo/?r=rss

jomo,
@jomo@mstdn.io avatar

@caravantraveller @WestphalDenn das ist schon richtig so, das Wort hat unterschiedliche Bedeutungen:

[1] nicht zur Kenntnis nehmen, weil man sich dagegen entscheidet
"Diese Bemerkung will ich mal überhört haben!"

[2] nicht zur Kenntnis nehmen, weil man es (akustisch) nicht vernimmt (hört)
"Hast du überhört, dass das Telefon geklingelt hat?"

https://de.wiktionary.org/wiki/%C3%BCberh%C3%B6ren#Verb,_untrennbar

jomo,
@jomo@mstdn.io avatar

@caravantraveller @WestphalDenn stimmt, da hast du recht

jomo, to infosec
@jomo@mstdn.io avatar

Once again researchers (@epicenter_works) were sued for responsibly disclosing a vulnerability. This time by the Austrian government. The charges were eventually dropped, but not before they had 15k€ of legal fees. Others would have paid them a 100k bounty instead.

You really want us to to anonymously drop vulns on the internet, right? I'm so sick of this bullshit.

de-AT: https://orf.at/stories/3355943/

jomo,
@jomo@mstdn.io avatar

Edit: If I read correctly, the @web journalists were not sued, they only published the vuln after it was fixed.

@epicenter_works

jomo, to random
@jomo@mstdn.io avatar
Ramonsta72, to random German
@Ramonsta72@chaos.social avatar

Wisst ihr, was das eigentliche Problem ist? Ständer!!

jomo,
@jomo@mstdn.io avatar

@Ramonsta72 wer den ständer benutzt, fährt nicht!

richardnosworthy, to opensource Welsh
@richardnosworthy@toot.wales avatar

Being drawn back to again by easy search by category (e.g. 'restaurant Cardiff') and customer reviews.

Would love to see improve/add this functionality.

jomo,
@jomo@mstdn.io avatar

@richardnosworthy this is why I hate that osm.org shows a map and search bar by default. It's a tech demo and developer tool, not a Google Maps alternative. But people keep confusing it with one because it looks similar.

OSM (which is just a database, not a map), does have restaurants in the database, but it does not store (entirely subjective) user reviews. Some applications might combine the two datasets though to achieve something similar to Google Maps, but osm.org will likely never do it.

psy, to random German
@psy@social.troll.academy avatar

Wusstet ihr, dass die Mastodon Suche mehr als nur Inhalt durchsuchen kann? Nach Posts von bestimmten Nutzern (oder sich selbst) suchen? Datum einschränken? Attachments suchen?

Jaa, genau. Das geht! Nein, wusste ich vorher auch nicht.

Leider gibt es dazu scheinbar keine sinnvolle Doku. Aber @luca hat das hier sehr gut zusammengefasst: https://lucahammer.com/2024/04/25/mastodon-advanced-search-guide-and-operators

jomo,
@jomo@mstdn.io avatar

@luca @psy wer das nicht möchte, soll IMO die posts nicht public machen. Das zu verbieten - was aus technischer Sicht gar nicht geht und nur auf Respekt des Servers vetraut - führt dazu, dass nur Leute mit besserem tooling ne brauchbare Suche haben und der normale Nutzer in die Röhre guckt. Meine Chats, Emails und RSS feeds kann ich ja auch durchsuchen, dann will ich meine Timeline und öffentliche Posts auch durchsuchen können.

Das wär das erste, was ich bei ner eigenen Instanz einbauen würde.

simontatham, to random
@simontatham@hachyderm.io avatar

In bash, writing ${var?} instead of just ${var} or $var means if var isn't defined then bash will throw an error and not execute your command, instead of expanding it to "" and carrying on.

mv file1 file2 $subdir # oops, I overwrote file2
mv file1 file2 ${subdir?} # error message instead of disaster

My favourite use of this is for example commands in documentation, with placeholders for the user to fill in. Then it's OK if a user accidentally copy-pastes it without filling them in!

jomo,
@jomo@mstdn.io avatar

@muvlon @Rob_Russell @simontatham this is a very good example of why I always use the more verbose option names. They are much harder to confuse:

set -o errexit
set -o nounset
set -o pipefail

Slightly related: I've seen a post recently where someone suggested to always use the full-length command options when using examples. That way you don't have to guess or look up the meaning, or use them without knowing what it does.

jomo, to random
@jomo@mstdn.io avatar

: configure DHCP to add static routes for 128.0.0.0/1 and 128.0.0.0/1 to your gateway.

This effectively prevents traffic from being routed through a VPN (which usually changes only your default route).

jomo,
@jomo@mstdn.io avatar

This should have said 0.0.0.0/1 for one of these options of course :)

jomo,
@jomo@mstdn.io avatar

@nf3xn what

  • All
  • Subscribed
  • Moderated
  • Favorites
  • Leos
  • khanakhh
  • magazineikmin
  • thenastyranch
  • hgfsjryuu7
  • Youngstown
  • rosin
  • InstantRegret
  • slotface
  • mdbf
  • PowerRangers
  • tsrsr
  • kavyap
  • DreamBathrooms
  • tester
  • vwfavf
  • ngwrru68w68
  • ethstaker
  • everett
  • modclub
  • Durango
  • GTA5RPClips
  • osvaldo12
  • cisconetworking
  • tacticalgear
  • normalnudes
  • cubers
  • anitta
  • All magazines
    •